Consumer privacy protection is the use of laws and regulations to protect individuals from privacy loss due to the failures and limitations of corporate customer privacy measures. Corporations may be inclined to share data for commercial advantage and fail to officially recognize it as sensitive to avoid legal liability in the chance that lapses of security may occur. Modern consumer privacy law originated from telecom regulation when it was recognized that a telephone company had access to unprecedented levels of information. Customer privacy measures were seen as deficient to deal with the many hazards of corporate data sharing, corporate mergers, employee turnover, and theft of data storage devices (e.g., hard drives) that could store a large amount of data in a portable location.

Corporate customer privacy practices are approaches taken by commercial organizations to ensure that confidential customer data is not stolen or abused. Since most organizations have strong competitive incentives to retain exclusive access to these data, and since customer trust is usually a high priority, most companies take some security engineering measures to protect customer privacy. There is also a concern that companies may sell consumer data if they have to declare bankruptcy, although it often violates their own privacy policies.[1] These vary in effectiveness, and would not typically meet the much higher standards of client confidentiality applied by ethical codes or legal codes in banking or law, nor patient privacy measures in medicine, nor rigorous national security measures in military and intelligence organizations.

Since they operate for-profit, commercial organizations also cannot spend unlimited funds on precautions while remaining competitive; a commercial context tends to limit privacy measures and to motivate organizations to share data when working in partnership. The damage done by privacy loss is not measurable, nor can it be undone, and commercial organizations have little or no interest in taking unprofitable measures to drastically increase the privacy of customers. Corporations may be inclined to share data for commercial advantage and fail to officially recognize it as sensitive to avoid legal liability in the chance that lapses of security may occur. This has led to many moral hazards and customer privacy violation incidents.

Some services—notably telecommunications, including Internet—require collecting a vast array of information about users’ activities in the course of business, and may also require consultation of these data to prepare bills. In the US and Canada, telecom data must be kept for seven years to permit dispute and consultation about phone charges. These sensitivities have led telecom regulation to be a leader in consumer privacy regulation, enforcing a high level of confidentiality on the sensitive customer communication records.

Focusing on telecom has been outmoded to some degree as other industries also gather sensitive data. Such common commercial measures as software-based customer relationship management, rewards programs, and target marketing tend to drastically increase the amount of information gathered (and sometimes shared). These very drastically increase privacy risks and have accelerated the shift to regulation, rather than relying on the corporate desire to preserve goodwill.

This article chronology is ambiguous or out of order. Relevant discussion may be found on the talk page. Please do not remove this message until the described events are arranged in an unambiguous chronological sequence.(June 2017)

Concerns have led to consumer privacy laws in most countries, especially in the European Union, Australia, New Zealand and Canada. Notably, among developed countries, the United States has no such law and relies on corporate customer privacy disclosed in privacy policies to ensure consumer privacy in general. Modern privacy law and regulation may be compared to parts of the Hippocratic Oath, which includes a requirement for doctors to avoid mentioning the ills of patients to others—not only to protect them, but to protect their families— and also recognizes that innocent third parties can be harmed by the loss of control of sensitive personal information.

Modern consumer privacy law originated from telecom regulation when it was recognized that a telephone company—especially a monopoly (known in many nations as a PTT)—had access to unprecedented levels of information: the direct customer's communication habits and correspondents and the data of those who shared the household. Telephone operators could frequently hear conversations—inadvertently or deliberately—and their job required them to dial the exact numbers. The data gathering required for the process of billing began to become a privacy risk as well. Accordingly, strong rules on operator behaviour, customer confidentiality, records keeping and destruction were enforced on telephone companies in every country. Typically only police and military authorities had legal powers to wiretap or see records. Even stricter requirements emerged for various banks' electronic records In some countries, financial privacy is a major focus of the economy, with severe criminal penalties for violating it.

Through the 1970s many other organizations in developed nations began to acquire sensitive data, but there were few or no regulations in place to prevent them from sharing or abusing the data. Customer trust and goodwill were generally thought to be sufficient in first-world countries, notably the United States, to ensure the protection of truly sensitive data; caveat emptor was applied in these situations. But in the 1980s, smaller organizations also began to get access to computer hardware and software, and these simply did not have the procedures or personnel or expertise, nor less the time, to take rigorous measures to protect their customers. Meanwhile, via target marketing and rewards programs, companies were acquiring ever more data.

Gradually, customer privacy measures were seen as deficient to deal with the many hazards of corporate data sharing, corporate mergers, employee turnover, and theft of data storage devices (e.g., hard drives) that could store a large amount of data in a portable location. Explicit regulation of consumer privacy gained further support, especially in the European Union, where each nation had laws that were incompatible (e.g., some restricted the collection, some the compilation, and some the dissemination of data); it was possible to violate privacy within the EU simply doing these things from different places in the European Common Market as it existed before 1992.

Through the 1990s, the proliferation of mobile telecom, the introduction of customer relationship management, and the use of the Internet in developed nations brought the situation to the forefront, and most countries had to implement strong consumer privacy laws, often over the objections of business. The European Union and New Zealand passed particularly strong laws that were used as a template for more limited laws in Australia and Canada and some states of the United States (where no federal law for consumer privacy exists, although there are requirements specific to banking and telecom privacy). In Austria around the 1990s, the mere mention of a client's name in a semi-public social setting was enough to earn a junior bank executive a stiff jail sentence.